Friday, August 24, 2007
Restricted Bash (rbash) and Hack-ish Jail
Why hack-ish? Well, I didn't use the formal chroot and other jail technologies to restrict some users. The premise is that certain users will use very basic set of commands:
ls
less
ping
tail
ps
top
grep
Create a group for the restricted users:
groupadd monitoringteam
Create a common home and bin directory:
mkdir -p /home/monitor/bin
Add a user:
useradd monitor-guy -g monitoringteam -d /home/monitor -s /bin/rbash
Create (or copy from /etc/skel) .bash_profile and .bashrc inside /home/monitor and add the following:
export PATH=~/bin
Go to the bin directory under /home/monitor and create the soft links of the basic commands:
cd /home/monitor/bin
ln -s /bin/command_here commandname_here
Note: some of the commands are at /usr/bin/, just use 'which' to know the paths. You can fine tune this set-up :) As I said, this is hack-ish, quick and grungy.
ls
less
ping
tail
ps
top
grep
Create a group for the restricted users:
groupadd monitoringteam
Create a common home and bin directory:
mkdir -p /home/monitor/bin
Add a user:
useradd monitor-guy -g monitoringteam -d /home/monitor -s /bin/rbash
Create (or copy from /etc/skel) .bash_profile and .bashrc inside /home/monitor and add the following:
export PATH=~/bin
Go to the bin directory under /home/monitor and create the soft links of the basic commands:
cd /home/monitor/bin
ln -s /bin/command_here commandname_here
Note: some of the commands are at /usr/bin/, just use 'which' to know the paths. You can fine tune this set-up :) As I said, this is hack-ish, quick and grungy.
Labels: Centos, jail, Linux, rbash
Saturday, August 18, 2007
Monit and Tomcat
Tomcat is acting up. We need to see if it died gracefully or hanged. Using monit we can monitor tomcat's pid. But what if it is hanging in there? So, using some monit option, we could check the tomcat's http response at port 8080.
## Monitor Tomcat's pid
check process tomcat with pidfile /opt/tomcat/logs/tomcat.pid
alert some.alerts@some.domain
mode passive
#
## Monitor Tomcat at port 8080
check host localhost with address 127.0.0.1
start program = "/etc/init.d/tomcat start"
stop program = "/etc/init.d/tomcat stop"
if failed port 8080 protocol http
then restart
alert some.alerts@some.domain
Reset monit services, stop the tomcat services and check the logs.
tail -f /var/log/monit.log
ps -ef | grep tomcat
Hhhmmm... something's weird. Monit didn't restart Tomcat. Check the logs and got these:
info : 'tomcat' start: /etc/init.d/tomcat
error : 'tomcat' failed to start
Googled some. I then put the /etc/init.d/tomcat start/stop on a simple script.
touch start-tomcat.sh
touch stop-tomcat.sh
And changed the /etc/init.d/ lines at monit.conf to:
start program = "/somedir/start-tomcat.sh"
start program = "/somedir/stop-tomcat.sh"
Test the configs and voila! Back to playing some basic bass stuff: 12 bar blues progression.
## Monitor Tomcat's pid
check process tomcat with pidfile /opt/tomcat/logs/tomcat.pid
alert some.alerts@some.domain
mode passive
#
## Monitor Tomcat at port 8080
check host localhost with address 127.0.0.1
start program = "/etc/init.d/tomcat start"
stop program = "/etc/init.d/tomcat stop"
if failed port 8080 protocol http
then restart
alert some.alerts@some.domain
Reset monit services, stop the tomcat services and check the logs.
tail -f /var/log/monit.log
ps -ef | grep tomcat
Hhhmmm... something's weird. Monit didn't restart Tomcat. Check the logs and got these:
info : 'tomcat' start: /etc/init.d/tomcat
error : 'tomcat' failed to start
Googled some. I then put the /etc/init.d/tomcat start/stop on a simple script.
touch start-tomcat.sh
touch stop-tomcat.sh
And changed the /etc/init.d/ lines at monit.conf to:
start program = "/somedir/start-tomcat.sh"
start program = "/somedir/stop-tomcat.sh"
Test the configs and voila! Back to playing some basic bass stuff: 12 bar blues progression.
Friday, August 17, 2007
*Nix Tidbits
Got this error/warning while restarting Apache on FreeBSD:
No such file or directory:
Failed to enable the ‘httpready’ Accept Filter
To resolve this, issue the following command:
kldload accf_http
----------------------------------------------------------------------------------
So, some some directory was filled with thousands of files. To remove these files, you will issue:
rm -rf *
But if this error occurs:
- /bin/rm: Argument list too long
You may use use find and xarg. To do that, you can issue this command:
find . -type f -name '*string_here*' -print | xargs rm
Others may ask, why not use the -delete option instead of xargs rm? There are a lot of deployments that has an old version of find. :)
No such file or directory:
Failed to enable the ‘httpready’ Accept Filter
To resolve this, issue the following command:
kldload accf_http
----------------------------------------------------------------------------------
So, some some directory was filled with thousands of files. To remove these files, you will issue:
rm -rf *
But if this error occurs:
- /bin/rm: Argument list too long
You may use use find and xarg. To do that, you can issue this command:
find . -type f -name '*string_here*' -print | xargs rm
Others may ask, why not use the -delete option instead of xargs rm? There are a lot of deployments that has an old version of find. :)
Labels: find, FreeBSD, httpd, Linux, rm, xarg
